When Employees Put Data At Risk: Medical IT Client Horror Tales That Will Convince You To Encrypt (Part 1)
By Delano Collins, Chief Information Officer, EDTS
While we all want to trust the people we work with, our experience implementing and managing IT and security services shows that employees go rogue more often than you might expect. Unaccounted-for data and files can be especially damaging in the healthcare field, where HIPAA compliance requires that medical facilities take reasonable measures to protect patient privacy.
This includes the requirement that patients’ electronic personal health information (ePHI) on PCs and mobile devices be protected by encryption. Unfortunately — but perhaps not unexpectedly — not everyone working in the healthcare industry is as respectful as they ought to be when it comes to HIPAA or patient privacy rights.
In the wrong hands, patient data contains enough personal information (Social Security number, birthdate, address, etc.) to enable criminals to perform identity theft and other financial crimes. A company found in violation of HIPAA may face damaging fines that can cripple a business, to say nothing of harmful reputational damage suffered when disclosing to patients that their private information has not been kept safe. It’s the responsibility of healthcare businesses — both to themselves and their patients — to put IT security solutions in place to protect ePHI from threats external and internal.
Against that cheery backdrop, here is the first of two cautionary tales of medical practices (true stories which we’ve witnessed firsthand) that did not live up to their responsibility.
Tale #1: The Case Of The Missing POS Terminal
Some businesses don’t think they need encryption until the issue slaps them in the face. In one particular case, the victim was a large medical practice that knew it was in a mess with its IT security. One of the first calls we received was from a panicked office administrator, alerting us that someone had created a rogue access point that anyone could use to get on their private network and access confidential data.
This was a new office admin, and through our asset inventory management we quickly determined that there was a missing POS terminal (a Windows 7 PC), which the practice hadn’t previously known was missing. This terminal was no longer on site, but it was online — using a public IP address different from those used by the business. At the time, everyone at that practice was saving work to local machines as well, and the sales terminal would have certainly had invoices on the hard drive. So, in addition to a defenseless network, the terminal itself likely held unencrypted ePHI.
The PC and mobile device security platforms we use, including our remote monitoring and management platform and Beachhead’s SimplySecure, exist for scenarios like this. With these tools, we were able to monitor activity on the terminal and quickly determine the identity of the user. As it turned out, he was an acquaintance of a former contract IT worker hired directly by the practice in the past. Asking the medical practice about what they remembered, this contractor sounded like a scam artist. In the course of appearing to complete IT duties, the contractor had simply walked out of the building with the machine, taking all that patient data with him (with the practice none the wiser).
Using our tools, we’re able to remotely revoke access to a device and remotely shutoff network access as well, which we did in this case. Tools like SimplySecure are able to report when access is severed and data is encrypted and safe. It also allow us to remotely wipe specific sensitive files, but the medical practice was unable to tell us what files were on the computer; there had been too much personnel turnover and they were too disorganized to keep track.
HIPAA requires encryption for ePHI on PCs and mobile devices, but it’s important to recognize that sometimes encryption is not enough. In cases where a sinister or simply careless employee lets computer credentials (login name and password) fall into the wrong hands, encryption by itself cannot protect the data, and extra measures of protection such as remote data wiping and access controls are needed.
HIPAA also mandates that any subcontractor of an ePHI custodian is subject to the same HIPAA compliance and liability. HIPAA actually covers any entity that does business with a medical practice and touches upon ePHI and its security, and that included our company.
From the beginning of our relationship with this medical practice we had tried to forcefully convey the importance of HIPAA compliance and taking appropriate measures. Ultimately we ended our relationship with this customer because we felt too vulnerable — there were too many glaring examples of questionable IT security, and they wouldn’t address our recommendations. From our perspective, the money wasn’t worth the risk of being dragged into a HIPAA enforcement action, where, as an IT security provider, we’d be the ones explaining why their policies allowed for unencrypted terminals to walk out the door.
If the medical practice had simply implemented encryption — as they ought to have been doing all along — there wouldn’t have been such a big stir. Under HIPAA, a device containing ePHI can be stolen, and, if that data is encrypted and remote security tools can wipe it, there is no data breach and no requirement for that incident to be reported.
When it comes to IT security, RMM tools offer considerable peace of mind — it’s a lot easier to trust the people you hire with access to sensitive data when you know you can have that data locked down and eliminated from any distance.
Delano Collins is Chief Information Officer at EDTS, a full service technology consulting firm specializing in networking, security and managed IT services for business. The firm helps customers increase productivity and reduce cost associated with information technology.